Menlo Park security said the 27 and 31 year-old botnet authors had initiated 20 distinct spam campaigns between December 2013 and June 2014 before they were arrested last week. They managed to affect Facebook and other online services, with some of the victims having received private messages containing a ‘zip’ attachment with a Visual Basic script or Java JAR file.

If executed, these files would then retrieve other malware modules kept on particular remote sites. These elements were either DarkComet which is a widely used remote access tool for harvesting login credentials, or variations of apps that mine the Litecoin crypto currency.

Lecpetex was able to circumvent Facebook’s filters designed to stop such kind of malware from being spread by frequently refreshing and altering the malicious attachments. The malware also had another tactic that ensured their survival- automatically updating itself to evade various antivirus products.

According to Facebook, the authors put in significant effort for evading the company’s attachment scanning programs by creating many variations of the malformed zip files. These would then open properly in Windows while causing various scanning techniques to fail. Facebook consequently reached out to other law enforcement agencies and infrastructure providers after realizing security software alone was not going to thwart Lecpetex.

The social media company admits that neutralizing a threat like Lecpetex requires joint effort of technical analysis capabilities, agility in deploying new countermeasures, industry collaboration and law enforcement cooperation.

The security apparatus say they escalated the Lecpetex case on April 30 this year to the Cybercrime Subdivision of the Greek Police, and the agency immediately showed strong willingness to cooperate with Facebook.

Greek Police stated that the authors were in the process of establishing a Bitcoin ‘mixing’ service that would help them launder stolen Bitcoins by the time they were arrested.

A blog on Tuesday from Facebook’s Threat Infrastructure team identified areas affected being Greece, Norway, Poland, India, Portugal and the United States.

Facebook representatives gave a description of the difficulties experienced in shutting down the botnet, adding how the creators taunted them through messages left on servers that were part of its network.

A local Greek reporter terms this as the ‘most important’ case the Greek Cyber Crime Unit has handled, as the malware was said to have affected an email password connected to the Greek Ministry of Mercantile Marine.